Privacy Issues in Marketing: What Most Teams Get Wrong

ByKeith Lacy
Why Marketing Teams Keep Getting This WrongThe Consent Problem Is More Serious Than Most Teams RealiseWhat the Third-Party Cookie Collapse Actually Means for Your Data StrategyThe Channels Where Privacy Risk ConcentratesHow Organisational Structure Makes Privacy Problems WorseThe Commercial Case for Getting Privacy RightWhat a Pragmatic Privacy Review Actually Looks LikeThe Direction of Travel Is Clear

Get sharp marketing thinking, weekly

No fluff. Just clear, commercially grounded insights.

Privacy issues in marketing have moved from compliance footnote to commercial risk in a short period of time. Most marketing teams are not running campaigns that break the law. They are running campaigns built on data practices that were acceptable five years ago and are quietly becoming untenable now, without anyone having made a deliberate decision to change course.

The problem is not usually ignorance. It is inertia. The consent flows, tracking setups, and data-sharing arrangements that powered a decade of performance marketing were built for a different environment. Many teams have patched and extended them rather than rebuilding from a cleaner foundation.

Key Takeaways

  • Most marketing privacy failures are structural, not intentional. They come from inherited data practices no one has formally reviewed.
  • Consent is not a checkbox. Regulators are increasingly scrutinising whether consent was genuinely informed, not just technically obtained.
  • Third-party data dependency is a compounding risk. Every year that passes without a first-party data strategy makes the eventual transition more expensive.
  • The teams that handle privacy well treat it as an operational discipline, not a legal obligation handed to someone else to manage.
  • Privacy pressure is not going away. The regulatory direction across both the US and Europe is toward tighter controls, not looser ones.

In This Article

  1. Why Marketing Teams Keep Getting This Wrong
  2. The Consent Problem Is More Serious Than Most Teams Realise
  3. What the Third-Party Cookie Collapse Actually Means for Your Data Strategy
  4. The Channels Where Privacy Risk Concentrates
  5. How Organisational Structure Makes Privacy Problems Worse
  6. The Commercial Case for Getting Privacy Right
  7. What a Pragmatic Privacy Review Actually Looks Like
  8. The Direction of Travel Is Clear

Why Marketing Teams Keep Getting This Wrong

I have sat in planning sessions where privacy came up exactly once, near the end, when someone asked whether legal had signed off. That is the wrong model. It treats privacy as a gate to pass through rather than a design constraint to build around from the start.

The agencies and in-house teams that handle this well do not have better lawyers. They have cleaner operational habits. Privacy considerations are embedded in how campaigns are scoped, how data is collected, and how audiences are built. It is not a separate workstream. It is part of the brief.

When I was running agencies, one of the recurring problems I saw was that the people who understood the data architecture (developers, ad ops, analytics leads) were rarely in the same room as the people making campaign decisions. That gap is where most privacy issues live. Not in malicious intent, but in the space between teams who do not communicate clearly enough about what data is being collected, where it goes, and what it is being used for.

If you want a broader view of how privacy fits into the wider discipline of running a marketing function well, the Marketing Operations hub covers the operational and structural side of marketing in more depth.

Consent has become the load-bearing wall of digital marketing compliance, and a lot of teams are leaning on walls that are not as solid as they assume.

The common misconception is that consent is a binary: either you have it or you do not. Regulators, particularly in Europe, have moved well past that framing. The question now is whether consent was freely given, specific, informed, and unambiguous. A pre-ticked box does not meet that standard. A cookie banner that makes declining harder than accepting does not meet that standard. A privacy policy that runs to 6,000 words of legal prose that no ordinary person would read does not meet that standard.

This matters commercially, not just legally. Consent obtained through friction and confusion is consent that erodes trust. I have seen brands invest heavily in building audiences through practices that technically cleared compliance review, only to find that those audiences performed poorly because the underlying relationship with the customer was weak. The data was there. The goodwill was not.

The Unbounce team has written honestly about how marketers think about data privacy and GDPR, and one of the more useful observations is that marketers who treat privacy as a customer experience issue, rather than a legal one, tend to end up with both better compliance and better performance. That framing is worth borrowing.

The slow death of third-party cookies has been discussed so extensively that many teams have developed a kind of fatigue around it. That fatigue is understandable but dangerous, because the underlying shift is real and the teams that have not adapted are accumulating risk quietly.

The practical issue is not just targeting. It is measurement. A significant proportion of attribution models in use today rely on data signals that are becoming less reliable, more restricted, or outright unavailable depending on the browser, device, and jurisdiction. Teams that have not stress-tested their measurement approach against a world with fewer signals are flying with instruments that are increasingly unreliable.

I spent years managing large performance budgets across multiple channels, and one of the things I learned is that the confidence marketers place in their attribution data is almost always higher than the data warrants. Analytics tools give you a perspective on what happened, not a complete picture of it. That was true before the cookie changes accelerated. It is more true now.

Google and Gmail have faced heightened privacy obstacles that illustrate how quickly the major platforms can find themselves constrained by regulatory and technical pressure. What looks like a stable data environment can shift faster than a campaign cycle.

The teams that are handling this well are not waiting for a clean technical solution to arrive. They are building first-party data programmes, investing in contextual targeting, and accepting that some measurement precision is gone and will not come back. That is a more honest operating posture than hoping the industry finds a privacy-compliant replacement for the old infrastructure that works just as well.

The Channels Where Privacy Risk Concentrates

Not all channels carry the same privacy exposure. Understanding where the risk concentrates helps teams prioritise their attention rather than spreading a compliance review thinly across everything.

Email marketing sits at the top of the list for most teams, because the data practices that built email lists over the past decade were often loose. Purchased lists, co-registration arrangements, data appends from third-party providers. These practices are not uniformly illegal, but they are increasingly scrutinised, and the consent provenance on a list built this way is rarely clean enough to withstand a serious challenge.

Behavioural retargeting is the second major area. The pixel-based tracking infrastructure that powers retargeting across the open web has been under pressure from browser changes, iOS updates, and regulatory guidance for several years now. Many teams are still running retargeting campaigns on the assumption that their tracking is working as it did in 2019. It is not.

Tools like Hotjar and similar behavioural analytics platforms are widely used by marketing teams to understand on-site behaviour. These tools are genuinely useful, but they also collect personal data, and the consent and disclosure requirements around their use are not always well understood by the marketers deploying them. If you are using session recording or heatmap tools, the question of whether your visitors know about it and have consented to it is worth checking carefully.

Paid social is the third area. The data-sharing arrangements between advertisers and platforms like Meta involve transferring customer data in ways that are subject to data processing agreements, terms of service restrictions, and in some jurisdictions, specific regulatory requirements. The Custom Audiences feature, for example, requires advertisers to confirm that they have the right to use the data they upload. Many teams click through that confirmation without having genuinely verified it.

How Organisational Structure Makes Privacy Problems Worse

Privacy issues in marketing are often framed as a knowledge problem. Teams do not know the rules, so they break them. But in my experience, the more common problem is structural. Teams know, broadly, that privacy matters. They just do not have clear ownership of it, and so it falls between functions.

Legal owns compliance in the abstract. Marketing owns campaigns in practice. Technology owns the data infrastructure. And nobody owns the intersection of all three in a way that produces clear, actionable decisions about specific campaigns and data practices.

When I grew an agency from around 20 people to over 100, one of the things that became clear was that the informal communication that handles cross-functional issues in a small team does not scale. At 20 people, the person who knew about data practices and the person making campaign decisions were probably talking every day. At 100 people, they might be in different buildings and have never had a direct conversation. Structure has to compensate for what informal communication used to do.

BCG has written about agile marketing organisation design, and one of the principles that applies here is the idea that cross-functional ownership of complex issues requires deliberate structural design, not just goodwill. Privacy is a cross-functional issue. Treating it as one organisationally is not optional.

The practical implication is that someone in the marketing function needs to own privacy as an operational responsibility, not just a compliance obligation. That does not mean a dedicated privacy officer for every team. It means someone who understands the data flows in the marketing stack, can translate regulatory requirements into campaign decisions, and has the authority to stop something that is not right before it ships.

The Commercial Case for Getting Privacy Right

There is a version of the privacy conversation that is entirely about risk avoidance. Do not get fined. Do not end up in the press for the wrong reasons. That framing is legitimate but limited. The more interesting argument is that good privacy practice is a commercial advantage, and teams that understand this tend to do better work.

The reason is straightforward. If your marketing is built on data that customers knowingly and willingly shared with you, the signal quality is better. Customers who have opted in to a relationship are more likely to engage, more likely to convert, and more likely to remain customers. The data is cleaner because the relationship is cleaner.

I have a view that marketing is often used as a blunt instrument to prop up businesses with more fundamental problems. Companies that genuinely build good products, communicate honestly, and treat customers well tend to need less aggressive marketing than companies that do not. Privacy fits into that frame. Businesses that treat customer data with respect are usually the same businesses that treat customers with respect more broadly. It is a symptom of something deeper about how the organisation operates.

The Forrester perspective on marketing planning and transformation is relevant here. The teams that handle structural challenges well, whether that is privacy, measurement, or organisational change, are the ones that plan deliberately rather than reacting to external pressure. Privacy is not a crisis to manage. It is a condition to plan around.

An integrated data strategy is part of what makes this work in practice. Optimizely has published thinking on integrated data strategy for marketing organisations that is worth engaging with if you are thinking about how to build a first-party data capability that is both compliant and commercially useful. The two goals are not in tension. They tend to reinforce each other.

What a Pragmatic Privacy Review Actually Looks Like

Telling a marketing team to “get privacy right” without being specific about what that means in practice is not useful. Here is what a pragmatic review looks like for a team that wants to make meaningful progress without turning it into a six-month compliance project.

Start with your data inventory. Not the theoretical one in your privacy policy, but the actual one. What data are you collecting, where, how, and where does it go? Most teams find, when they do this honestly, that the answer is more complicated than they expected. Pixels firing on pages where they should not be. Data flowing to third-party tools that nobody actively chose to use anymore. Email lists that include contacts from sources nobody can clearly identify.

Then look at your consent mechanisms. Not whether they exist, but whether they are working as intended. Is your cookie banner actually recording and honoring consent choices? Is the opt-in language on your lead forms specific enough to support the ways you are actually using the data? Is there a clear process for handling data subject requests when they come in?

Then look at your third-party relationships. Every tool in your marketing stack that touches personal data is a data processor, and you have legal obligations around those relationships in most jurisdictions. Data processing agreements need to exist and need to be current. This is often the area where the gap between what teams think is in place and what is actually documented is largest.

None of this requires specialist legal knowledge to start. It requires someone with enough operational authority to ask the right questions and enough persistence to get honest answers. The teams that are furthest behind on privacy are usually the ones where nobody has been given that mandate clearly.

More on the operational discipline required to run a marketing function effectively, including how teams structure accountability for complex cross-functional issues, is covered across the Marketing Operations hub. If privacy is one gap in your operational model, there are likely others worth examining at the same time.

The Direction of Travel Is Clear

One of the arguments I hear from teams that are slow to address privacy is that the regulatory environment is uncertain. Rules are changing, enforcement is inconsistent, and it is hard to know what standard to build toward. That argument has some validity but it is mostly a rationalisation for inaction.

The direction of travel is not uncertain. Across both the US state-level landscape and the European regulatory environment, the trend is consistently toward stronger privacy protections, more explicit consent requirements, and greater individual rights over personal data. The pace and specifics vary. The direction does not.

Teams that build their data practices around the strongest plausible standard, rather than the minimum current requirement, are making a sensible long-term bet. They are also, in most cases, building practices that are more defensible commercially, not just legally. Customers are more aware of data practices than they were five years ago. That awareness is not going to decrease.

I have judged the Effie Awards and seen the work that genuinely drives business results. The campaigns that hold up over time are almost never the ones built on the most aggressive data extraction. They are the ones built on a genuine understanding of customers and a clear value exchange. Privacy-respecting marketing is not a constraint on effectiveness. In most cases, it is a precondition for it.

About the Author

Keith Lacy is a marketing strategist and former agency CEO with 20+ years of experience across agency leadership, performance marketing, and commercial strategy. He writes The Marketing Juice to cut through the noise and share what works.

Frequently Asked Questions

What are the most common privacy issues marketing teams face?
The most common issues are weak or unclear consent mechanisms, inherited email lists with uncertain provenance, pixel and tracking setups that collect more data than intended, and missing or outdated data processing agreements with third-party tools. Most of these are structural problems, not deliberate violations, which makes them easier to fix once someone has been given clear responsibility for finding them.
Does GDPR apply to marketing teams outside Europe?
GDPR applies to any organisation that processes the personal data of people in the European Economic Area, regardless of where the organisation itself is based. If you are running campaigns that target or collect data from European residents, GDPR applies to you. US-based teams often underestimate this, particularly when running global paid campaigns or collecting email addresses through international lead generation.
How does the end of third-party cookies affect marketing compliance?
The reduction in third-party cookie availability affects both targeting capability and measurement accuracy. From a compliance perspective, it also removes some of the technical infrastructure that enabled data collection without explicit consent. Teams that have relied on third-party cookies for audience building and retargeting need to review whether their replacement approaches, such as first-party data programmes or contextual targeting, meet the same consent standards that regulators expect.
What is the difference between a data controller and a data processor in marketing?
A data controller determines the purpose and means of processing personal data. A data processor handles data on behalf of a controller. In a typical marketing setup, the brand is the data controller and the agencies, platforms, and tools that handle customer data on their behalf are data processors. This distinction matters because controllers have primary legal responsibility for compliance, and they are required to have formal data processing agreements in place with each processor they use.
How should marketing teams handle data subject access requests?
Data subject access requests give individuals the right to know what personal data an organisation holds about them, how it is used, and in some cases to have it deleted or corrected. Marketing teams need a clear process for receiving these requests, identifying all the systems where the relevant data might be held, and responding within the timeframes required by applicable law. The challenge is that marketing data is often spread across multiple platforms, CRMs, email tools, and ad platforms, and pulling it together quickly requires prior planning, not improvisation when a request arrives.

Similar Posts